-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Registry is vulnerable to CVE-2013-0169 (LUCKY13) and CVE-2011-3389 (BEAST) #3333
Comments
I'm surprised this has been hanging out there for so long when it is a pretty major security requirement. |
@dariusj18 Same... All they have todo is make a new release with PR #2808 maybe by 2022 |
I'm going to need to either switch my registry to a different product, or forgo having a local registry at all because of this. |
CC. #3359 |
Hi. Is the |
This is not supported in either of those releases. |
Okay, thanks. |
How come the official docker documentation include this configuration option if this is not supported by the latest release? |
I can't comment why the official documentation includes configuration that does not seem to be supported by the latest release. I can simply confirm I experienced the same situation than you all. For you information, the "development" image works better. TLS 1.0 and 1.1 are gone. And, this happens without configuring anything. It seems to be the default behavior. Give it a try. I tested the registry with 2.7.0-272-gc63b5805. Docker pull/push works just fine and security vulnerabilities related to TLS are now fixed. |
Thanks, I'll try that! |
@lefranco6910 Using a |
Maybe in 2022 they care about Security, issue still valid |
Tried building it manually from the 2.8 release branch on the github repo and its the only version I found that respects the minimumtls config, anything else just discards it. |
Build from |
@milosgajdos I tried 2.7.1 from docker hub which I guess are aligned with the 2.7 release branch, but still it did not respect the minimumtls value. Should I try manually build from main? any differences with the docker hub version ? |
Yes, all the tagged images are aligned with GH branches, hence you'll have no luck with those. The beta Finally, if you'd like a Docker image builld off |
Thanks for the great info @milosgajdos. Will give it a try |
I can confirm that this issue was fixed by #3552 Thank you! @milosgajdos |
The current release of Docker Registry only support TLS1.0 and there's no way to change it. The PR #2808 added support for changing this but has never been included in a release. This PR was merged over a year ago.
Replicate:
Deploy Docker Registry using this:
Tested using testssl.sh cli:
docker run --rm -ti drwetter/testssl.sh 10.0.2.15
Report:
TLS 1, and TLS 1.1 are considered industry deprecated by now, yet Docker Registry provides no way of mitigating this issue. At a minimum TLS1.2 should be default.
The text was updated successfully, but these errors were encountered: